Robert G. Brown wrote:
> On Fri, 20 Jun 2008, Perry E. Metzger wrote:
>>>>> "Robert G. Brown" <rgb at phy.duke.edu> writes:
>>> On Fri, 20 Jun 2008, Chris Samuel wrote:
>>>> ----- "Joe Landman" <landman at scalableinformatics.com> wrote:
>>>>>>>>> People spend lots of time and effort on security theater. Make up odd
>>>>> rules for passwords. Make them hard to guess and crack. Well, is
>>>>> that the vector for break-ins? Weak passwords?
>>>>>>>> Yeah - sadly.. :-(
>>>>>> Do you have an recent contemporary evidence for that?
>>>> Yes, Run a box with sshd on it connected to the internet and watch your
>> logs for a few days. You will find numerous attempts to try thousands
>> of possible account names and passwords -- brute force cracking.
>> Well, yeah, sure, I know about that as I DO watch my logs -- I just
> haven't heard of one of these attacks SUCCEEDING in pretty much forever,
> for obvious reasons.
Run pam_abl on your machine, and you can pretty much guarantee that the
brute force attacks will not work, even if they miraculously guess the
right password. This presumes more than some small number of previous
login failures.
[...]
>> Here is an extract from the log on a real machine, one of mine, from
>> last night:
>>>> Jun 19 20:56:53 smaug sshd[2577]: Invalid user secretariat from
>> 70.90.14.154
>> Jun 19 20:56:54 smaug sshd[2522]: Invalid user secretar from 70.90.14.154
>> Jun 19 20:56:55 smaug sshd[23949]: Invalid user present from 70.90.14.154
>> Jun 19 20:56:56 smaug sshd[3440]: Invalid user test from 70.90.14.154
>> Jun 19 20:56:57 smaug sshd[8809]: Invalid user test from 70.90.14.154
>> Jun 19 20:56:58 smaug sshd[21600]: Invalid user teste from 70.90.14.154
>> Jun 19 20:56:59 smaug sshd[314]: Invalid user teste from 70.90.14.154
>> Sure, it goes on and on. I don't really LIKE seeing this, especially on
> a server with sensitive information, but that is precisely why one
> configures such servers with tight controls and runs a password checker.
Use pam_abl. Really. Even if the password were weak, and they guessed
it on the 57th try, pam_abl will stop the login. Read the manual.
Adjust the config settings.
Our ssh logs are scary, have been for a while. They aren't the scariest
of our logs.
Even paranoids have enemies.
--
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics LLC,
email: landman at scalableinformatics.com
web : http://www.scalableinformatics.comhttp://jackrabbit.scalableinformatics.com
phone: +1 734 786 8423
fax : +1 866 888 3112
cell : +1 734 612 4615
_______________________________________________
Beowulf mailing list, Beowulf at beowulf.org
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.